Managed Enterprise Workspace

Cleanup #ConfigMgr Software Update Groups via PowerShell

We use Automatic Deployment Rules (ADR) for Security Updates, other updates, Defender updates and 3rd party Software Update Catalogs. Since all these updates need to be tested through our internal rings, we use the option ‘Create a new Software Update Group’. So, if the ADR detects added updates it creates a new Software Update Group (SUG). Once the SUGs are outdated we need to cleanup.

Additionally, we use the option ‘Install Software Updates > Mandatory software updates only’ in the OSD task sequence to ensure that only tested updates will be applied.
As a result, we want to keep the SUG with the last expired deployment deadline but delete all older.

The goal

Run a PowerShell script daily that goes through the ADR created SUGs, detect the last deadline of all deployments of the SUGs and remove all older SUGs.

The script

Needs to:

Find all active ADRs

Find all SUGs of an ADR

Find all deployments of a SUG of an ADR

Find the latest deadline of all deployments of a SUG of an ADR

Find the latest expired deadline of all deployments of all SUGs of an ADR